Protecting documents using policies and encryption

ABSTRACT

A system protects documents at rest and in motion using declarative policies and encryption. A document at rest includes documents on a device such as the hard drive of a computer. A document in motion is a document that is passing through a policy enforcement point. The policy enforcement point can be a server (e.g., mail server, instant messenger server, file server, or network connection server).

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application is a continuation of U.S. patent applicationSer. No. 13/193,588, filed Jul. 28, 2011, issued as U.S. Pat. No.9,064,131 on Jun. 23, 2015, which claims the benefit of U.S. patentapplication Ser. No. 61/368,408, filed Jul. 28, 2010. These applicationsare incorporated by reference along with all other references cited inthis application.

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the U.S. Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

BACKGROUND OF THE INVENTION

The present invention relates to the field of information and documentmanagement, and more specifically, to protecting documents at rest andin motion using declarative policies and encryption.

Controlling access to a document is typically the role of an operatingsystem. Modern operating systems provide rudimentary access controlmechanisms such as file system attributes or access control lists (ACL)which limit access to a file on a file system directly attached to thehost of the operating system. When a computer is connected to a network,the task of protecting documents on a computer becomes more complicated.To protect data on a networked computer, consideration is given toprotecting data-at-rest (e.g., data stored on a storage device),data-in-motion (e.g., data being transmitted but has not reached itsdestination), and discrepancies introduced by a heterogeneous operatingenvironment (e.g., different capabilities and limitations of operatingsystems and file systems). As more users have access to data stored on anetworked computer, more sophisticated access and usage control may bedesired.

Document management systems provide additional control and protection todocuments especially on a computer network. A document management systemmay require a document to be checked in to a document managementrepository in order to be protected. To read or change a document in adocument management repository, a user may check out a document from adocument management repository. Once a document is checked out,protection offered by a document management system may cease. As aresult, protection offered by a document management system may belimited to documents residing in a document management repository butnot copies of the documents retrieved from a document managementrepository.

To keep data protected at all times, encryption may be applied before adocument is stored or transmitted. While encryption's ability to protectinformation is desirable, common encryption techniques have their shareof shortcomings. For example, most encryption algorithms arecomputationally expensive and encrypting a large document can be timeconsuming. Moreover, managing the encryption keys of a large number ofdocuments, securing encryption keys, and keeping encryption keysavailable all the times can be very complicated.

A popular application of encryption is an encrypted file system. In anattempt to address a limitation of operating system-based access controlwhere files on a storage device are left unprotected when an operatingsystem is disabled (or bypassed) or a storage device is removed from ahost computer, many modern operation systems support file systemencryption. On an encrypted file system, either all or selected filesare encrypted before saving the files to a storage device (e.g., harddisk or Flash drive). Encryption keys used to encrypt files are managedby an operating system, whereby encryption and decryption of files arelargely transparent to users. While an encrypted file system isdesirable for some applications, files on an encrypted file system maybecome unprotected when they are copied or moved from the encrypted filesystem. For example, if a user copies a file from an encrypted filesystem to a file system that does not support file encryption, the copyof the file at the destination is left unprotected. Further, anencrypted file system does not protect data-in-motion (e.g., when a fileon a file server is opened by a client computer on the network) and anencrypted network protocol must be used to protect the content of a filebeing transmitted.

Some application programs offer document encryption via a proprietaryencrypted document format (e.g., Microsoft Word®, Microsoft Excel®,Adobe Acrobat®. While application specific encryption offers aconvenient, easy to deploy document protection solution, such a solutionmay be difficult to manage as it lacks a sophisticated encryption keymanagement infrastructure. For example, an application specificencryption solution may require a user to save a document in anencrypted format explicitly and maintain a password to open the documentat a later time. This makes document protection not transparent to auser. In addition, application specific encryption is applicationspecific, so it cannot be applied to protect other documents notassociated with a specific application program.

Another popular use of encryption can be found in digital rightsmanagement (DRM) solutions. Unlike a document management system which isdesigned to protect source (or original) documents, DRM is designedspecifically to protect renditions (or derivatives) of a source documentin distribution. Common DRM solutions have licensing informationembedded in a document being distributed, and rely on a custom reader(or player) or custom application plug-in to control access, limitrights assigned to a particular user or a particular distribution (e.g.,do not allow access to content after it expires, do not allow copyingcontent to clipboard, or do not allow printing of content), and trackusage. DRM solutions are designed to protect renditions of a document indistribution where a rendition does not change after it is produced. Incontrast, enterprise information management solutions can managefrequently changing documents along with frequently changing access andusage rights to the documents. As a result, DRM solutions designed toprotect documents in distribution may not work well in managing sourcedocuments in an enterprise. Another shortcoming of DRM solutions is thatDRM solutions may not protect documents that are not encrypted.

It would be advantageous for an information management system to offerthe benefits of a sophisticated policy-based document access and usagecontrol and fulltime content protection offer by encryption. It wouldfurther be advantageous to perform encryption and decryptionautomatically without user intervention. It would also be advantageousto encrypt confidential documents at rest and in motion. It would alsobe advantageous to associate encryption service with a policy enforcerof an information management system so that documents being encryptedare portable across operating systems and file systems. It would also beadvantageous to have an encrypted document that is not applicationprogram dependent. It would also be advantageous to have an encryptionservice transparent to application programs (such as Microsoft Word(RTM)) so that a custom application is not required to read an encrypteddocument. It would also be advantageous to protect documents in placewithout requiring a user to check-in or check-out a document from adocument management repository.

BRIEF SUMMARY OF THE INVENTION

A technique and system of the invention for encrypting and decryptingdata using policies is implemented. The present invention describesmethods, techniques, and systems encrypt and decrypt data based on or inconjunction with a policy enforcer.

In an implementation of the invention, a method of the invention uses ashared key ring. A policy enforcer maintains one or more shared keyrings where each shared key ring contains one or more keys. Raw datafiles may be encrypted with the newest key in a key ring by default. Toshare a document, key encryption data portion is reencrypted with ashared key (Ksh), and the name of a shared key ring along with a keyidentifier are stored with the encrypted document.

In an implementation of the invention, a method of the invention usessharing in-place. An encrypted document is stored on a file serveraccessible from two different domains. To share a document, the key dataportion of the document is reencrypted using a shared key Ksh. To stopsharing, the key data portion of the document is reencrypted using adomain key Kd.

In an implementation of the invention, a method of the inventionswitches from domain key (or local key) to shared key upon sending adocument, for example, in an e-mail. A policy enforcer detects adocument is sent to a domain different from the current domain. Thepolicy enforcer replaces key data of the document that is encrypted witha domain key Kd with key data encrypted with shared key Ksh.

In an implementation, a method for a shared key ring includes: a policyenforcer that maintains a shared key ring that contains exactly onedomain key and one or more shared key; raw data files are encrypted withdomain key (Kc+kd) by default; and to share a document, key encryptiondata portion is reencrypted with Ksh.

In an implementation, a method for sharing in-place includes: anencrypted document is sitting on a file server accessible from twodifferent domains; to share a document, reencrypt the key data portionof the document using a shared key Ksh; and to stop sharing, reencryptthe key data portion of the document using a domain key Kd.

In an implementation, a method for switching from domain key to sharedkey on send (e.g., e-mail) includes: a policy enforcer detects adocument is sent to a domain different from current domain; and thepolicy enforcer replaces key data of the document that is encrypted witha domain key Kd with key data encrypted with shared key Ksh.

In an implementation, a method of controlling document access usingcentrally managed rules, the method including: distributing a firstplurality of rules to a client system from a central rule database,where the first plurality of rules distributed to the client systemcontain at least one expression used by the client system to performaccess control for documents accessed by the client system, and wherethe client system rule distributing step dynamically selects the firstplurality of rules for the client system; distributing a secondplurality of rules to a server from the central rule database, where thesecond plurality of rules distributed to the server contain at least oneexpression used by the server to perform access control for documentsstored on the server, where the server rule distributing stepdynamically selects the second plurality of rules for the server, andwhere rules in the central rule database are maintained by a centralrule server.

Some aspects of the invention include: (1) Two views of an encryptedfile depending on trust. (2) using policy enforcer to manage keys. Thisis in contrast to an encrypted file system using the operating system toencrypt, and digital rights management system uses an application, suchas a media player. (3) How encryption works as an extension. (4) Howtrust is established.

In various implementations, (1) a trusted application sees unencrypteddata of a document but a untrusted application sees encrypted data ofthe same document. One file is being served two ways. (2) Using policyenforcer to manage encryption keys and how keys are used. May alsoinclude local and share key concepts. (3) Encryption is an extension topolicy enforcer. Policy enforcer can work without encryption extension.Encryption has policy enforcer obtaining the key. Logistics in gettingkey and then encrypt. Logistics in getting key and then decrypt.

(4) The process on establishing trust on an application program andapplication of trust in a policy enforcer extension. Policy enforcerestablishes trust on an application program (or a process). Trust isbeing applied in encryption. For example, no trust, then no decrypteddata. (5) Auto switching encryption key on an encrypted document.Switching from local encryption key to shared encryption key: whenattaching to an e-mail; when sending in an e-mail; or when copying afile form local computer to a file server. Switching from sharedencryption key to local encryption key: when saving an attachment tolocal disk; or when copying a file from file server to local computer.

In further various implementations, (1) policy driven encryption basedon document content or document attribute. (2) Autowrapping a regularfile (automatically encrypting the file): autowrapping on e-mail send;autowrapping on attach to e-mail; or autowrapping on ZIP or usinganother file archiver format (e.g., RAR, 7z, XZ, BZIP2, GZIP, TAR, ZIP,WIM, ARJ, CAB, CHM, CPIO, CramFS, DEB, DMG, FAT, HFS, ISO, LZH, LZMA,MBR, MSI, NSIS, NTFS, RAR, RPM, SquashFS, UDF, VHD, WIM, XAR, or Z).

In an implementation, a method for preventing misuse of encrypteddocument content includes: providing an encryption service running on acomputing device; accessing an encrypted document by an applicationprogram on the computing device; intercepting the accessing an encrypteddocument operation at the encryption service; identifying theapplication program attempting the accessing an encrypted documentoperation; determining if the application program can be trusted toprotect unencrypted content of the encrypted document; if theapplication program is determined to be trusted, decrypting theencrypted document to produce unencrypted content and providing theunencrypted content to the application program; and if the applicationprogram is determined not to be trusted, providing encrypted content ofthe encrypted document to the application program.

In various implemenations, the encryption service is a file systemfilter device driver. The encryption service is a device driver.Accessing an encrypted document includes any one of opening theencrypted document or reading the content of the encrypted document.Identifying the application program attempting the accessing anencrypted document operation includes examining a process that invokesthe accessing an encrypted document operation.

Determining if the application program can be trusted to protectunencrypted content of the encrypted document further includes: queryinga policy enforcer to determine if the application program can be trustedto protect unencrypted content of the encrypted document. If theapplication program is determined to be trusted, decrypting theencrypted document to produce unencrypted content further includes:obtaining an encryption key from a policy enforcer to decrypt theencrypted document.

In an implementation, a method of distributing encryption keys in aninformation management system includes: providing a plurality ofencryption keys for encrypting and decrypting documents, where theplurality of encryption keys are stored in a key management server;providing a plurality of policies for controlling access to documents,where the plurality of policies are stored on a policy server; providinga policy enforcer on a computing device; accessing an encrypted documentby an application program, where the application program runs on thecomputing device; distributing a subset of the plurality of polices tothe policy enforcer, where the policy enforcer enforces the subset ofthe plurality of polices to control access to documents at the computingdevice; distributing a subset of the plurality of encryption keys to thepolicy enforcer, wherein the policy enforcer manages the subset of theplurality of encryption keys to control encryption and deception ofdocuments at the computing device; intercepting the accessing anencrypted document by an application program by the policy enforcer;evaluating at least one policy in the subset of the plurality ofpolicies by the policy enforcer to determine if the accessing anencrypted document by the application program should be allowed; if theaccessing an encrypted document by the application program is notallowed, denying access to the encrypted document by the applicationprogram; and if the accessing an encrypted document by the applicationprogram is allowed, providing an encryption key for decrypting theencrypted document to produce unencrypted content of the encrypteddocument and providing the unencrypted content to the applicationprogram.

In various implementations, the key management server and the policyserver are the same. Accessing an encrypted document includes any one ofopening the encrypted document, or reading the content of the encrypteddocument. Distributing a subset of the plurality of polices to thepolicy enforcer is performed periodically. A policy enforcer requests anencryption key from key management server by key ring name. Thedecrypting the encrypted document to produce unencrypted content ishandled by an encryption service of the operating system.

Other objects, features, and advantages of the present invention willbecome apparent upon consideration of the following detailed descriptionand the accompanying drawings, in which like reference designationsrepresent like features throughout the figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a simplified block diagram of a distributed computernetwork 100 incorporating an embodiment of the present invention.

FIG. 2 shows a more detailed diagram of a computer system which may be aclient or server.

FIG. 3 shows a system block diagram of computer system 201 used toexecute the software of the present invention.

FIG. 4 shows a simple block diagram of a policy enforcer forimplementing one or more policies.

FIG. 5 shows an information management system with a plurality of policyenforcers running on different types of computing devices.

FIG. 6 shows a policy enforcer with an add-on providing encryptionservice.

FIG. 7 shows a structure of an encrypted document.

FIG. 8 shows a key management server that manages encryption keys usedby a plurality of policy enforcers.

FIG. 9 shows a flow for encrypting a new document using local encryptionkey.

FIG. 10 shows a flow for encrypting a new document using a sharedencryption key.

FIG. 11 shows a flow for encrypting a document without using a policy.

FIG. 12 shows a flow for decrypting a document using local encryptionkey.

FIG. 13 shows a flow for decrypting a document where decryption isinitiated by an encryption service and encryption is completed withassistance from a policy enforcer.

FIG. 14 shows a flow for encrypting a document using local encryptionkey after the document is modified.

FIG. 15 shows a flow for switching from a local encryption key to ashared encryption key when an encrypted document is copied from anendpoint to a file server.

FIG. 16 shows a flow for switching from a shared encryption key to alocal encryption key when an encrypted document is copied from a fileserver to an endpoint.

FIG. 17 shows a flow for encrypting an attachment of an e-mail.

FIG. 18 shows a flow for switching from a shared encryption key to alocal encryption key when an attachment of an e-mail is saved to localstorage at an endpoint.

FIG. 19 shows a flow for encrypting a new document to be saved on a fileserver using a shared encryption key at an endpoint.

FIG. 20 shows a flow for encrypting a new document to be saved in ashared folder using a shared encryption key at an endpoint.

FIG. 21 shows a flow for sharing a folder at an endpoint.

DETAILED DESCRIPTION OF THE INVENTION

A policy enforcement system that controls access to and usage of data ina document is described in U.S. provisional patent application60/755,019, filed Dec. 29, 2005. Associating ancillary data to documentsand tagging are described in U.S. provisional patent application61/357,016, filed Jun. 21, 2010. More details on policy enforcement aredescribed in U.S. patent application Ser. Nos. 11/383,159, 11/383,161,and 11/383,164, filed May 12, 2006, and 11/615,477, filed Dec. 22, 2006.These applications are incorporated by reference along with all otherreferences cited in this application.

FIG. 1 shows a simplified block diagram of a distributed computernetwork 100 incorporating an embodiment of the present invention.Computer network 100 includes a number of client systems 113, 116, and119, and a server system 122 coupled to a communication network 124 viaa number of communication links 128. Communication network 124 providesa mechanism for allowing the various components of distributed network100 to communicate and exchange information with each other.

Communication network 124 may itself be comprised of many interconnectedcomputer systems and communication links. Communication links 128 may behardwire links, optical links, satellite or other wirelesscommunications links, wave propagation links, or any other mechanismsfor communication of information. Various communication protocols may beused to facilitate communication between the various systems shown inFIG. 1. These communication protocols may include TCP/IP, HTTPprotocols, wireless application protocol (WAP), vendor-specificprotocols, customized protocols, and others. While in one embodiment,communication network 124 is the Internet, in other embodiments,communication network 124 may be any suitable communication networkincluding a local area network (LAN), a wide area network (WAN), awireless network, a intranet, a private network, a public network, aswitched network, and combinations of these, and the like.

Distributed computer network 100 in FIG. 1 is merely illustrative of anembodiment incorporating the present invention and does not limit thescope of the invention as recited in the claims. One of ordinary skillin the art would recognize other variations, modifications, andalternatives. For example, more than one server system 122 may beconnected to communication network 124. As another example, a number ofclient systems 113, 116, and 119 may be coupled to communication network124 via an access provider (not shown) or via some other server system.

Client systems 113, 116, and 119 typically request information from aserver computer system which provides the information. For this reason,servers typically have more computing and storage capacity than clientsystems. However, a particular computer system may act as both as aclient or a server depending on whether the computer system isrequesting or providing information. Additionally, although theinvention has been described using a client-server environment, itshould be apparent that the invention may also be embodied in astand-alone computer system.

Server 122 is responsible for receiving information requests from clientsystems 113, 116, and 119, performing processing required to satisfy therequests, and for forwarding the results corresponding to the requestsback to the requesting client system. The processing required to satisfythe request may be performed by server 122 or may alternatively bedelegated to other servers connected to communication network 124.

Client systems 113, 116, and 119 enable users to access and queryinformation stored by server system 122. In a specific embodiment, a“web browser” application executing on a client system enables users toselect, access, retrieve, or query information stored by server system122. Examples of web browsers include the Internet Explorer browser byMicrosoft Corporation, the Firefox® browser by Mozilla Foundation, andothers.

FIG. 2 shows a more detailed diagram of a computer system which may be aclient or server. FIG. 2 shows a computer system 201 that includes amonitor 203, screen 205, cabinet 207, keyboard 209, and mouse 211. Mouse211 may have one or more buttons such as mouse buttons 213. Cabinet 207houses familiar computer components, some of which are not shown, suchas a processor, memory, mass storage devices 217, and the like. Massstorage devices 217 may include mass disk drives, floppy disks, IomegaZIP™ disks, USB removable storage, magnetic disks, fixed disks, harddisks, hard drives including both magnetic and flash storage in a singledrive unit, CD-ROMs, recordable CDs, DVDs, DVD-R, DVD-RW, HD-DVD,Blu-ray DVD, flash and other nonvolatile solid-state storage, tapestorage, reader, and other similar media, and combinations of these.

A computer-implemented or computer-executable version of the inventionmay be embodied using, stored on, or associated with computer-readablemedium. A computer-readable medium may include any medium thatparticipates in providing instructions to one or more processors forexecution. Such a medium may take many forms including, but not limitedto, nonvolatile, volatile, and transmission media. Nonvolatile mediaincludes, for example, flash memory, or optical or magnetic disks.Volatile media includes static or dynamic memory, such as cache memoryor RAM. Transmission media includes coaxial cables, copper wire, fiberoptic lines, and wires arranged in a bus. Transmission media can alsotake the form of electromagnetic, radio frequency, acoustic, or lightwaves, such as those generated during radio wave and infrared datacommunications.

For example, a binary, machine-executable version, of the software ofthe present invention may be stored or reside in RAM or cache memory, oron mass storage device 217. The source code of the software of thepresent invention may also be stored or reside on mass storage device217 (e.g., hard disk, magnetic disk, tape, or CD-ROM). As a furtherexample, code of the invention may be transmitted via wires, radiowaves, or through a network such as the Internet.

FIG. 3 shows a system block diagram of computer system 201 used toexecute the software of the present invention. As in FIG. 2, computersystem 201 includes monitor 203, keyboard 209, and mass storage devices217. Computer system 201 further includes subsystems such as centralprocessor 302, system memory 304, input/output (I/O) controller 306,display adapter 308, serial or universal serial bus (USB) port 312,network interface 318, and speaker 320. The invention may also be usedwith computer systems with additional or fewer subsystems. For example,a computer system could include more than one processor 302 (i.e., amultiprocessor system) or a system may include a cache memory. Theprocessor may be a multicore processor, such as the Intel Core 2 Duo,Intel Pentium® D, AMD Athlon™ 64 X2 Dual-Core, AMD Phenom™, or MicrosoftXbox 360 central processing unit (CPU).

Arrows such as 322 represent the system bus architecture of computersystem 201. However, these arrows are illustrative of anyinterconnection scheme serving to link the subsystems. For example,speaker 320 could be connected to the other subsystems through a port orhave an internal direct connection to central processor 302. Computersystem 201 shown in FIG. 2 is but an example of a computer systemsuitable for use with the present invention. Other configurations ofsubsystems suitable for use with the present invention will be readilyapparent to one of ordinary skill in the art.

Computer software products may be written in any of various suitableprogramming languages, such as C, C++, C#, Pascal, Fortran, Perl, Matlab(from MathWorks, www.mathworks.com), SAS, SPSS, JavaScript, AJAX, andJava. The computer software product may be an independent applicationwith data input and data display modules. Alternatively, the computersoftware products may be classes that may be instantiated as distributedobjects. The computer software products may also be component softwaresuch as Java Beans (from Sun Microsystems) or Enterprise Java Beans (EJBfrom Sun Microsystems). An operating system for the system may be one ofthe Microsoft Windows® family of operating systems (e.g., Windows 95,98, Me, Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7,Windows 8, Windows CE), Linux, UNIX, Sun OS, Ubuntu, or Macintosh OS X.Some mobile operating systems that can be used with an implementation ofthe invention include: Google Android, Chrome OS; Apple iOS4 or iOS5;Blackberry OS; Windows Phone 7. Other operating systems may be used.Microsoft Windows is a trademark of Microsoft Corporation.

Declarative Policies

An information management system may provide access control andinformation usage protection to documents using declarative policies(also referred to as “information management policies”). One or morepolicies may be written to limit access of a document or documents fromparticular users and enforced by the system. A policy enforcer runningon a computing device may be responsible for enforcing policies thatcontrol access to a document and use of content in a document. Documentsbeing protected are unaltered and remain in place on a file server or inan application data repository (e.g., Microsoft Exchange (RTM) messagestore). For example, a document being protected does not need to beencrypted. A document being protected does not need to be moved into arepository. A document being protected does not need to be placed in anenvelope. An envelope refers to a regular file of a particular fileformat tailored for a particular information management system in whicha document (or file) being managed may be embedded to facilitatemanagement of the document by the information management system.

A document may be a file system or nonfile system object. For example, afile system object may be an Excel spreadsheet. A nonfile system objectmay be an e-mail message or data delivered to an SAP® Frontend clientapplication (e.g., information about an employee) by an SAP humanresource module running on a server. For example, a non-file systemobject may be a web page produced by Microsoft SharePoint Server®. Inanother example, a non-file system object may be a webpage, a form or aunit of information delivery to a client from a Product LifecycleManagement (PLM) application. Some examples of disk file systems includeFAT, NTFS, HFS, ext2, ext3, ISO 9660, ODS-5, and UDF.

A document may encompass objects such as a file, an e-mail message, aWeb page, an on-line report, an on-line form, a discussion thread, aresult set generated by a database query, an on-line form, a bitmap, afile system object, a data object managed by a document managementsystem, a data object managed by a content management server, a dataobject in a product lifecycle management system, a source code file or acode fragment managed by a source code management system, a data objectmanaged by a configuration management system, a data object managed by aproject management system, a data object in an enterprise resourceplanning system, a data object in a customer relationship managementsystem, a data object managed or served, or both, by a portal server, adata object served by a Web server, a data object managed or served byany application server, or any unit of information content stored usingvolatile or nonvolatile memory.

An information management system controls access to information of thesystem by supporting information management policies. A policy may bedefined in different languages such as Blue Jungle's CompliantEnterprise Active Control Policy Language (ACPL) format that uses adeclarative approach to policy specification. More detailed informationabout the ACPL language may be found in U.S. provisional application60/870,195, filed Dec. 15, 2006, which is incorporated by reference. Apolicy may also be defined in Extensible Access Control Markup Language(XACML), a declarative access control policy language implemented inXML. XACML 2.0 is an open standard ratified by OASIS® standardsorganization.

Some examples of a workstation include a desktop computer, laptopcomputer, personal digital assistant (PDA), smart phone, thin client(e.g., HP Consolidated Client Infrastructure client or Wyse terminal),an instance of client operating environment running on a terminal server(e.g., Microsoft Windows 2003 Terminal Services and Citrix MetaFrame), aguest operating system running on a virtual machine (e.g., VMwareWorkstation and Microsoft Virtual Server 2005), a server making documentaccess or information usage request (e.g., acting as a client in thecontext of the request), Internet kiosk, and information kiosk. Aworkstation may be any computing device and computing environment fromwhich document access or information usage request is originated.

A policy server may create, manage, or create and manage policies.Policies may define to whom and under what condition (or conditions)access to a document is granted or denied.

Policies may be used to make declarative statements of policy withoutbeing burdened by implementation details. In example 1 below, adeclarative policy limits access to Microsoft Excel (RTM) spreadsheetsin the finance department folder (e.g., “/finance/”) to employees in thefinance department only. When a user in another department attempts toopen a Microsoft Excel spreadsheet in the finance department folder, theopen operation is denied.

EXAMPLE 1

FOR document.name = “/finance/*.xls” ON OPEN BY user = Finance DO ALLOWOTHERS DENY

FIG. 4 shows a simple block diagram of a policy enforcer forimplementing one or more policies according to a specific implementationof the invention. A policy enforcer 404 is installed on a workstation408 to protect documents on the workstation and documents accessiblefrom the workstation. As shown in the figure, the policy enforcerincludes an interceptor 412, a policy engine 416, and an obligationhandler 420.

In an implementation, a policy enforcer is able to perform informationaccess control for operations resulting from user action through anapplication program and execution of application program logic. Thepolicies allow policy enforcers (which may be called agents in specificembodiments) to make decisions on whether to allow or deny access to aparticular information, execute a particular application function, oroperate on a particular application data object or fragment.

The inceptor of the policy enforcer intercepts the operating system andapplication operations related to document access and use of content ina document to exert control over the operating system or applicationoperation. The intercepted operation and related information areforwarded to the policy engine 424. The policy engine evaluates at leastone declarative policy relevant to the operation to determine if theoperation should be allowed. If the operation is allowed, the operationcontinues to completion 428. If the operation is denied 428, theinterceptor blocks the operation.

The policy engine evaluates at least one policy of the set of policiesassociated with the action. Policies or subsets of policies, or both,may be transmitted to the workstation to control document accesses andinformation usage. The policy enforcer installed on the workstation maycontrol end-user access to and usage of documents (or information) onthe workstation and application program functions.

The policies may specify obligations that are processed by an obligationhandler. The obligation handler is a code module that carries outobligations supported by the policy system architecture. If a policyevaluated by the policy engine specifies an obligation, the policyengine invokes the obligation 432 by calling the obligation handler. Anobligation may be implemented in a Policy Enforcement Point (PEP). Inthis case, the policy engine instructs a PEP to carry out an obligationwhen it returns the result of policy evaluation. The policy engine mayobtain a PEP's obligation handling capabilities via a configurationfile, an initial handshake between a PEP and the policy engine, or whena PEP forwards an intercepted operation to the policy engine forevaluation.

Both document-at-rest and document-in-motion may be protected usingdeclarative polices (such as NextLabs ACPL (RTM)). A policy may beimplemented by a policy enforcer. A policy enforcer may implementencryption to enhance data protection. Document-at-rest refers to adocument stored temporary or permanently on a storage device such asmemory, hard disk, CD-ROM, DVD-ROM, Flash drive, Flash card, tape, andmore. Document-in-motion refers to a document being sent or transferredvia a network that has not reached its destination. Examples ofdocument-in-motion include: (a) an e-mail message that has been sent buthas not yet reach its recipient's mailbox; (b) a file being transferredusing FTP (file transfer protocol); (c) a file or a webpage beingdownloaded from a Web server (e.g., using HTTP protocol); (d) a messageor a file being sent using an instant messaging program; and more.

The components and configuration of the block diagram in FIG. 4 are notintended to limit the invention. For example, in an implementation, thepolicy enforcer has a plurality of interceptors and a plurality ofobligation handlers. Further, a policy engine may run in a processseparate from a policy enforcer. The policy decision process and policyenforcer may run on the same computer or on separate computers.

FIG. 5 shows an information management system with a plurality of policyenforcers running on different types of computing devices according to aspecific implementation of the invention. A plurality of policyenforcers 503, 505, 507, 509 are installed on a plurality of computingdevices (or workstations) 502, 504, 506, 508. The policy enforcers maycontrol access to documents and use of contents in the documents. Eachpolicy enforcer protects documents on its host computing device. Apolicy enforcer also controls access to a document stored on anothercomputing device and usage of the content of the document on the hostcomputing device. In an implementation, a policy enforcer protectsdocuments at rest. In another implementation, a policy enforcer protectsdocuments in motion. In yet another implementation, a policy enforcerprotects documents at rest and documents in motion.

A policy server 501 manages a plurality of policies for controllingaccess to documents and use of content in a document. In animplementation, the policy server sends a subset of the plurality ofpolicies to the computing devices periodically. In an implementation,policies are sent to the computing device by a user by invoking a sendpolicy operation manually. In another implementation, the system sendsthe policies to the computing device when a particular condition is met(e.g., a new policy is defined, at a particular time of day, or when auser logs onto the computing device).

In an implementation, only policies relevant to a computing device aresent to the computing device. In another implementation, policies aresent to computing devices and the computing devices determined whichpolicies are applicable to it. The policy server may send an entiresubset of policies relevant to a computing device or send the changes topolicies since the last update.

A computing device may include a computer, smart phone, tablet, bookreader, file server, e-mail server, Web server, instant messaging server(e.g., Jabber®), collaboration server (e.g., Microsoft SharePoint®, IBMLotus Notes®), document management server, ERP (enterprise resourceplanning) servers, CRM (customer relationship management) server,Product Lifecycle Management (PLM) server, and more. Access to adocument includes opening a file, writing to a file, renaming a file,copying a file, deleting a file, or changing file attributes (e.g.,owner or timestamp), opening an e-mail, sending an e-mail, deleting ane-mail, viewing a webpage, posting content to a website, downloading afile from a website, uploading a file to a website, and more. Use ofcontent in a document includes adding, editing, deleting, copying,formatting text, picture, video, URL (universal resource locator), andother elements in a document. Other elements in a document may include aformula in a spreadsheet, a script in a Microsoft PowerPoint®presentation, an annotation on a Adobe Acrobat PDF® file, a graphicselement in a AutoCAD® drawing, and more.

In an implementation, the files, documents, information, and content ofthe information management system is not encrypted. The information isin the same format as natively stored by an application or the operatingsystem. In an implementation, the information management system does notencrypt the information or content before it is stored. Then when theinformation management system is not operating or in effect, theunencrypted information or content can be opened and viewed withoutrestriction by the application program the information or content wasintended for. However, when the information management system isoperating, even if the information or content is not encrypted, theinformation management system prevents the opening or viewing (or otheroperation prohibited by a policy) by the application program (e.g.,policy says to DENY open operation). The information management systemcan trap the operation at the operating system level, and prevent anopening or viewing operation. With the information management systemoperation, encryption is not needed to prevent viewing.

In an implementation, the information management system can encrypt(e.g., as directed or based on a policy) the information or contentbefore it is stored, e-mailed to another user, and so forth. In thiscase, even when the information management system is not operating or ineffect, the information will not be viewable unless the user unencryptsthe information first.

Using Encryption to Extend Protection

Without encryption, an active policy enforcer protects a document when(i) the document is at rest on a computing device; or (ii) when adocument is in motion while passing through an enforcement point where apolicy enforcer may exert control. There are situations where a policyenforcer is unable to protect a document. Examples of such situationsinclude: (a) when a document is in motion before reaching an enforcementpoint (e.g., an e-mail is being sent but it has not reach a perimeterfilter protected by a policy enforcer); (b) a policy enforcer on acomputing device is disabled; and (c) a storage device is physicallyremoved from a computing device protected by a policy enforcer.

In the case of a document-in-motion, when a document leaves a hostcomputing device protected by a policy enforcer, the policy enforcer onthe host computing device will not be able to protect the document whileit is in transit. For example, if a document is attached to an e-mail byUser A and the e-mail is sent to a recipient User B in the company, thedocument is protected by a policy enforcer while it is on User A'scomputer. The document is also protected by a policy enforcer on UserB's computer when it arrives. However, when the e-mail is in transitbetween User A's computer and User B's computer, policy enforcers atboth computers are unable to protect the document. Similarly, when afile is transferred between two computers (or downloaded from a server),the contents of the file are not protected while the file is in transit,if the file transfer is carried out without using an encryptedtransport.

In the case of a disabled policy enforcer, a policy enforcer may bedisabled as a result of a hacking attempt. Alternatively, a computer maybe rebooted without a policy enforcer running For example, if a hackergains administrative (or root) access to a computer, the hacker may beable to disable a policy enforcer. As a result, documents on thecomputer are no longer protected by the policy enforcer. In anotherexample, a hacker gains access to a computer and reboots the computerwith a different operating system that does not have a policy enforcerinstalled. When the computer boots up, the documents on the computer areno longer protected by a policy enforcer.

In the case where a storage device is physically removed from acomputer, documents on the storage device are no longer protected by apolicy enforcer on the computer.

When protecting information leakage for any of the above threesituations is important, a policy-based information management systemmay encrypt documents whenever fulltime protection is desired. Full-timeprotection refers to protecting content of a document at all times, evenwhen content of the document is not under protection of a policyenforcer. However, a person of skill in the art would recognize othersituations where the policy enforcer would be unable to protect adocument.

Encryption Service as an Add-On

In an embodiment of the invention, an add-on provides encryption serviceto an information management system that uses declarative policies toprotect access to documents and use of content in a document. Encryptionof a specific document may be specified as an obligation in adeclarative policy. Not all documents managed by an informationmanagement system need to be encrypted. In an implementation, onlydocuments that require extra protection are encrypted. In anotherimplementation, documents selected by a user are encrypted. In anotherimplementation, all documents managed by an information managementsystem are encrypted.

In example 2 below, a declarative policy instructs a policy enforcer toencrypt a document if the document is classified “top secret” and thedocument is saved by an employee.

EXAMPLE 2

FOR document.name = “*”  WITH (document.classification = “top secret”)ON SAVE BY user = Employees DO ALLOW AND ENCRYPT

In example 3 below, when a document classified as “confidential” is sentby an employee as an attachment of an e-mail, a policy directs a policyenforcer to encrypt the document before allowing the e-mail to be sent.

EXAMPLE 3

FOR email.recipient = “*”  WITH (email.attachment.classification =“confidential”) ON SENT BY user = Employees DO ENCRYPT ATTACHMENT

FIG. 6 shows a policy enforcer with encryption service add-on accordingto a specific implementation of the invention. A policy enforcer 601includes one or more interceptors 602, a policy engine 603, and one ormore obligation handlers 604. The policy enforcer interacts withencryption service add-on 605 via an encryption handler. In the figure,the obligation handlers include the encryption handler. In anotherimplementation, the encryption handler implements encryption serviceperforms by encryption service add-on. When a policy obligationspecifies the encryption of a file, the obligation handler invokes anencryption function 606 in the encryption service add-on to encrypt adocument. To encrypt a document the encryption service add-on requestsan encryption key from the policy enforcer 607. In anotherimplementation, the encryption service add-on may obtain a key from aconfiguration file, a database, or another key management applicationprogram. In an implementation, an obligation handler is not present at apolicy enforcer. The encryption function is invoked for each file viathe encryption service, independent of whether a policy obligationspecifies the encryption of a file.

In an implementation, the interceptor is a policy enforcement pointwhich is responsible for intercepting (or sensing, or detecting)operations on documents and implementing policy decisions. A policydecision may include allowing an operation to be carried out, denying anoperation, logging an operation in an activity log, altering anoperation, and more.

The policy engine is a policy decision point where a subset ofinformation management policies relevant to the intercepted operation isselected and evaluated. Relevant policy selection may be based on anumber of factors such as the current user, document being accessed, orcurrent user and document being accessed. A policy decision may be“allow” or “deny.” In an implementation, a valid policy decision mayalso include logging or other auxiliary tasks. In anotherimplementation, logging and other auxiliary tasks are implemented asobligations.

The obligation handlers are responsible for carrying out tasks before orafter policy evaluation. It is often implemented as plug-ins or add-onsto a policy enforcer. For example, a logging obligation handler may logan intercepted operation into an activity database before the policyengine evaluates the policies. In another example, a logging obligationhandler logs only operations that are denied by a policy engine wherebylogging occurs only after the policy engine evaluates policies on anoperation. In another example, an encryption obligation handler encryptsa document when directed by a policy. In yet another example, anotification obligation handler sends an e-mail message to anadministrator notifying the administrator of a failed attempt to accessa document classified as “top secret.”

Other policy syntax that directs a policy enforcer to encrypt a documentmay be used. For example, a policy syntax “ENCRYPT USING <KEY>” maydirect a policy enforcer to encrypt a document using a particularencryption key named <KEY>. For example, <KEY> is the name of a key suchas “Engineering_Document_Key”. In another example, a policy syntax“ENCRYPT USING <KEY_RING>” may direct a policy enforcer to encrypt adocument using an encryption key in a particular keyring (or key ring)named <KEY_RING>. A key ring is an object that holds a collection ofencryption keys. A key ring may be addressed by its name such as“My_Key_Ring” and each key inside the key ring may be addressed using anidentifier. Besides using a declarative policy to direct encryptionservice to encrypt a document, other means to direct encryption serviceto encrypt a document may be applied.

In an implementation, the decision to encrypt a file is based on anattribute associated with a directory. When encryption serviceintercepts an operation to create a file on a file system, theencryption service attempts to locate an encryption required attributeassociated with the directory where the file will be created. If anencryption required attribute exists and it specifies a file created inthe directory should be encrypted, the encryption service will encryptall data written to the file. If the encryption required attribute isabsent or it specifies a file created in the directory should not beencrypted, no encryption will be performed on the file by the encryptionservice.

In an example, the following policies specify that only employees maysave documents in directory “/confidential/” and documents saved to thedirectory should be encrypted. The first policy “Policy 1” specifiesencryption using policy syntax “ENCRYPT” which directs the policy engineto invoke the encryption obligation handler when it evaluates thepolicy. The encryption obligation handler then instructs encryptionservice to encrypt data written to the file involved in the policyenforcement action. The second policy “Policy 2” does not specifyencryption through policy. Instead, an encryption required attribute ondirectory “/confidential/” is set to indicate that files in thedirectory should be encrypted. When a file is saved to the directory,the file save operation is intercepted and Policy 2 is evaluated. If thefile save operation is allowed to continue, encryption serviceintercepts the file save operation. The encryption service check theencryption required attribute on directory “/confidential/” and theencryption required attribute indicates the file should be encrypted.The encryption service performs encryption on data to be written to thefile. This is shown in example 4 below.

EXAMPLE 4

# Policy 1 - Encrypt a file using obligation FOR document.name =“/confidential/*” ON SAVE BY user = Employees DO ALLOW AND ENCRYPT #Policy 2 - Encrypt a file by setting a directory attribute # (encryptionrequired attribute on “/confidential/” is set) FOR document.name =“/confidential/*” ON SAVE BY user = Employees DO ALLOW

An encryption required attribute on a directory indicates to theencryption service whether a file created in the directory or a filecopied to the directory should be encrypted. An encryption requiredattribute may be implemented in a variety of ways, such as an extendedfile system attribute on a file system, a lookup table entry, or other.

An encryption required attribute may be set in a system in differentways. When an encryption required attribute is implemented as anextended file system attribute on a Linux file system such as Ext2,Ext3, XFS or JFS, an integer or string value may be stored in theextended file system attribute to indicate if the attribute is set. Anencryption required attribute may also be used to indicate if a fileshould be encrypted. When an encryption required attribute is absent, afile created in the directory (or copied to the directory) may not beencrypted. On Microsoft NTFS® file system, a custom NTFS streamassociated with a directory may be used to store an encryption requiredattribute. Similarly, the presence of a custom NTFS stream may be usedto indicate an encryption required attribute is set.

When an encryption required attribute is implemented using a lookuptable, the lookup table may contain a list of directories whereencryption should be applied. The content of the lookup table may beloaded from a configuration file or populated by a policy enforcer orother source. An encryption required attribute on a directory may alsobe set manually or set using a policy.

Further, subdirectories inside a directory with an encryption requiredattribute may inherit the encryption required attribute. Copying adirectory with and encryption required attribute should also set theencryption required attribute of the destination directory.

In an implementation, encryption service is implemented as a kerneldevice driver of an operating system. A kernel device driver may includefile system filter driver, file system driver, or the like. In anotherimplementation, encryption service operates in user mode of an operatingsystem. In yet another implementation, encryption functions ofencryption service operates in user mode and decryption functions ofencryption service operates in kernel mode.

In an implementation, encryption service operates in both user mode andkernel mode.

In a specific implementation of the invention, encryption service is anintegral part of the policy enforcer.

Tying Encryption to Policy Enforcer

In an embodiment of the invention, a policy enforcer of an informationmanagement system enforces information management policies, managesencryption keys, and controls encryption and decryption of documents.The information management policies of the information management systemare responsible for controlling document access and document contentusage. The information management policies may also be used to directencryption of documents. When fulltime protection of the content of adocument is needed, a policy enforcer may be directed to encrypt thedata written to the document. The policy enforcer uses local encryptionkeys and shared encryption keys to encrypt and decrypt documents residedon host computing devices and remote computing devices (e.g.,document-at-rest) and documents about to be sent or transferred (e.g.,document-in-motion) so that encryption may be performed without userintervention.

After a document is encrypted, the role of controlling access to thedocument and controlling usage of content of the document remains theresponsibility of the information management policies and the policyenforcers that implement (or enforce) the information managementpolicies. The role of encryption in the information management system isto provide fulltime protection to content of a document whether thedocument resides on a computing device being managed by a policyenforcer of the information management system or does not reside on acomputing device being managed by a policy enforcer of the informationmanagement system. For example, encryption protects a document when thedocument is in motion (e.g., a document is in transit before it reachesa destination computing device that is protected by a policy enforcer)where the document is not protected by a policy enforcer of theinformation management system.

Not all documents managed by an information management system need to beencrypted. The protection offered by a policy enforcer and informationmanagement policies without using encryption is comprehensive andadequate for most situations. Encryption may be applied when fulltimeprotection is needed.

By implementing encryption through a policy enforcer of an informationmanagement system, document encryption and decryption occurtransparently without intervention by a user or require a specialapplication program. This policy enforcer directed encryption anddecryption system (or “enforcer directed encryption”) behavior issimilar to file system encryption, yet without the shortcomings of filesystem encryption.

First, file system encryption often leaves document data vulnerable whendocument data is in motion (e.g., transferred through a network) unlessencrypted transport is used to transfer a document. For example withMicrosoft NTFS®, if an encrypted file is opened over the network, thedata that is transmitted over the network is not encrypted. Enforcerdirected encryption keeps an encrypted document protected while thedocument is accessed across the network because an encrypted documentremains encrypted when transmitted over the network and decryptionoccurs only on the client computing device with the supervision of apolicy enforcer. A policy enforcer continues to control usage of thecontent of the document according to the information management policiesthat govern access to the encrypted document and usage of the content ofthe encrypted document. The process of decrypting an encrypted documenton the client computing device is transparent to a user because a policyenforcer automatically applies the correct encryption key to decrypt thedocument.

Second, some encrypted file systems decrypt an encrypted file when thefile is copied to a file system that does not support encryption. Forexample, copying an encrypted file from Microsoft NTFS® to MicrosoftFAT® file system will cause a file to be decrypted. Other encrypted filesystems copy an encrypted file to another file system treating contentof the encrypted file as binary data on the target file system renderingthe file useless without the encryption key needed to decrypt thedocument. A document encrypted using enforcer directed encryption may bemoved among file systems or computing devices. When an encrypted file ismoved from one computing device to another computing device, a policyenforcer automatically re-encrypts the encrypted file with a sharedencryption key, if needed, without any intervention from a user. Thismakes the process of copying (or moving) an encrypted file transparent.Further details on shared encryption key are described below in thisdocument.

Third, file system encryption (or an encrypted file system) is oftenoperating system dependent (e.g., Microsoft NTFS® encrypted file systemis only available to Microsoft Windows® operating system). With enforcerdirected encryption, a document may be encrypted by a policy enforcer onone operation system (e.g., Microsoft Windows®) and decrypted by apolicy enforcer on a different operating system (e.g., Linux®)transparently without any user intervention.

There are more advantages to implementing encryption using a policyenforcer. For example, an encrypted file system cannot protect a filewhen the file is attached to an e-mail. A policy enforcer allows anencrypted document to remain encrypted while attached to an e-mail. Apolicy enforcer automatically handles encryption key management issuesallowing the protection to the document to be maintained while thedocument is in motion (e.g., sent with an e-mail). A policy enforcer ona recipient's computing device will automatically locate the correctdecryption key to decrypt the document and continues to protect accessto the document and usage of the content document according to theinformation management policies governing access to and usage of thedocument.

Since access control to a document is enforced by a policy enforceraccording to polices relevant to the access operation and the documentbeing accessed, the decision to decrypt a document may occur only afteraccess to the document is authorized. In an implementation, a policyenforcer provides the necessary encryption key to encryption service anddirects the encryption service to decrypt a document. In anotherimplementation, a policy enforcer directs encryption service to decrypta document and the encryption service requests a key from the policyenforcer using information it retrieves from the document. In yetanother implementation, encryption service intercepts a file openoperation on an encrypted file a request a key from a policy.

Trusted Application

In an embodiment of the invention, encryption keys are managed by apolicy enforcer and an encryption service requests an encryption keyfrom a policy enforcer prior to encrypting or decrypting a document.When a policy enforcer is disabled, encryption service will not be ableto decrypt a document because encryption service does not have access tothe encryption key required to decrypt the document. A policy enforcerprovides an encryption key to an encryption service only if the policyenforcer can trust an application program (or process) that attempts toaccess an encrypted document. To establish trust with a policy enforcer,an application program must be able to enforce information managementpolicies and has successfully communicated with the policy enforcer. Inaddition, the application program must have triggered a policyevaluation recently and the policy evaluation must have produced an“allow” policy effect (e.g., allowing access to an encrypted document).

A trusted application is an application program on a computing devicethat cooperates with a policy enforcer to implement informationmanagement policies and the application program is entrusted by thepolicy enforcer to handle decrypted document data.

In an implementation, trust is established between an applicationprogram instance and a policy enforcer. In this case, the policyenforcer uses a process id of the application program instance toidentify the trusted application program.

In an implementation, the trust between an application program and apolicy enforcer may expire after a time period. Trust can bere-established when the application program requests policy evaluationand the policy evaluation produces an allow policy effect.

In another implementation, encryption service is implemented as a filesystem filter driver. When an application opens a document (or file),encryption service intercepts the corresponding file open operation andchecks if the document is encrypted. If the document is not encrypted,the encryption service passes the file open operation to the next filesystem device driver. If the document is encrypted, the encryptionservice requests a key from the policy enforcer by passing informationassociated with the file open operation to the policy enforcer. Uponreceiving a get key request, the policy enforcer checks if theapplication program that initiates the file open operation can betrusted. If the application program is trusted, the policy enforcerreturns a key to the encryption service. The encryption service storesthe key for use in subsequent file read, file write and other fileoperations. The encryption service may discard the key when a file isclosed. To complete the file open operation, the encryption servicespasses the file open operation to the next file system device driver. Ifan application program is not trusted, the policy enforcer returns anerror status. Upon receiving an error status, the encryption service maydeny the file open operation (e.g., return an error) or allow accessonly to the encrypted data.

In an implementation, encryption service operates as an add-on to apolicy enforcer. As such, it relies on the policy enforcer to provide atrusted application service to identify if an application program can betrusted with unencrypted content. The encryption service also relies onthe policy enforcer to provide key management service that provides anencryption key to facilitate encryption and decryption. The cooperationbetween policy enforcer and encryption service provides continuousprotection to decrypted content of an encrypted document by a policyenforcer according to information management policies and prevents thedecrypted content from being misused. On the other hand, when aencrypted document is no longer protected by a policy enforcer (e.g, adocument is removed from a computing device or in motion), the encrypteddocument remains protected because the encryption key requires todecrypt the encrypted document is protected by a policy enforcer.

In an implementation, an untrusted application program is an applicationprogram that does not require unencrypted document data. This greatlyreduces the overhead associated with the overall computing system sincecomputing cycles are saved by not needing to decrypt files. For example,if the application program is a backup program, it does not requireunencypted document data. The system would recognize the backup programas an untrusted application (such as through the backup program'sapplication identifier) and transmit encrypted document data to it. Thisallows the backup program to backup the file in its encrypted format.This prevents persons that may get access to the backup made by thebackup program from reading the document data.

Specific implementations of a flow are presented in this patent, but itshould be understood that the invention is not limited to the specificflow and steps presented. A flow of the invention may have additionalsteps (not necessarily described in this application), different stepswhich replace some of the steps presented, fewer steps or a subset ofthe steps presented, or steps in a different or alternative order thanpresented, or any combination of these. Certain steps may be repeated asneeded. Further, the steps in other implementations of the invention maynot be exactly the same as the steps presented and may be modified oraltered as appropriate for a particular application or based on thecircumstances.

In an implementation, trust for an application program can beestablished in the following flow:

(1) An application program (or policy enforcement point or PEP)intercepts a request.

(2) The PEP queries a policy deployment point (PDP or policy enforcer)for a decision.

(3) The PDP returns ALLOW.

(4) The PDP caches the application's program identifier (PID), decisionand time (this PID is trusted for a period of time from now on).

(5) Encryption driver intercepts a file open (for example, at the filesystem filter driver).

(6) Encryption driver checks if file is encrypted.

(7) If encrypted, encryption driver reads the file's header to get keyring name and key id (identification information of a key in the keyring). The encryption driver requests a key from PDP with the PID, keyring name, and key id.

(8) PDP performs a lookup on a cache and finds process trusted.

(9) PDP performs a lookup to locate a key store with the key ring usingthe key ring's name.

(10) If key ring is in key store, get key with key id from key ring andreturn key to encryption driver.

(11) If key ring is not in key store, request the key ring from KeyManagement server. Cache key ring in a local key store. Return key withkey id to encryption driver.

(12) Encryption driver allows the file to be opened.

(13) Encryption driver stores key with open file handle.

(14) Encryption driver returns.

(15) Encryption driver intercepts a file read on the file handle by PID.

(16) Encryption driver reads data from disk and decrypt.

(17) Encryption driver presents unencrypted data.

(18) If PDP return application is not trusted, encryption driver readsdata from disk without decrypting and returns to app.

(19) Otherwise, return error.

Encrypted Document Structure

In the following discussion, a source document refers to a document inits original unencrypted form. The content of a source document isreferred to as source content. When a source document is encrypted, theresulting document containing content of the source document inencrypted form is referred to as an encrypted document. The portion ofdata in the encrypted document that represents the source data inencrypted form is referred to as encrypted data. The data in anencrypted document that is not encrypted data is referred to as controldata.

FIG. 7 shows a structure of an encrypted document according to aspecific implementation of the invention. An encrypted document 701includes a control data section 702 and a document content section 703.The document content section has encrypted data which is encrypted usingcontent encryption key (or content key) Kc 705. The control data sectionholds a key identifier 704, a content encryption key Kc, and other data.The other data may include a magic number, file format signature,version number, key ring name, key identifier, unencrypted file size,padding information, author name, timestamp, tracking rules, retentionrules, classification data, custom file attributes (also referred to asancillary data), and more. The content encryption key Kc is used todecrypt the encrypted data in the document content section. A contentencryption key may be generated when a document is encrypted. Therefore,each encrypted document may have a different content encryption key. Thecontent encryption key itself is encrypted. Depending on whether adocument is at rest or in motion and when a document is at rest whetherthe document is on a host computing device or on a shared storagedevice, a local encryption key Kl or a shared encryption key Ksh may beused to encrypt the content encryption key. Since content encryption keyKc may be encrypted using different encryption keys, a key ring name anda key identifier pair may be used to identify the encryption key thatwas used to encrypt the content encryption key. A key ring name may be astring value, an integer value, or other value. When a key ring is used,a key identifier may be an index or a name that uniquely identifies anencryption key in a key ring. In one implementation, the key used toencrypt content encryption key Kc is not stored in a key ring. In thiscase, only a key identifier is necessary to identify a key. A keyidentifier may be an integer, a string value, or other value.

In an implementation, a feature of the system is that encrypting adocument involves two-layers of encryption. A Kc key can protect thedocument content while a separate key, a Ksh or Kl key, protects the Kckey. So, if changes need to be made to the encryption of a file (e.g.,updating policies to prevent people from accessing the document), theKsh or Kl key can be updated without needing to reencrypt the documentcontents. For example, if a document is 20 megabytes in size, its keydata and associated encryption overhead (such as the Kc) is around 1kilobytes in size. It is a lot easier to deal with decrypting andre-encrypting 1 kilobytes. The document can even vary in size, but sinceonly the Kc needs to be reencrypted if a new key is used, computingoverhead is reduced since the document contents do not need to bereencrypted.

In an implementation, a key identifier is a Universally UniqueIdentifier (UUID) which uniquely identifies an encryption key. UUID isan identifier standard maintained by the Open Software Foundation (RTM).In another implementation, a key identifier is an integer index into akey ring and a key ring identifier for identifying the key ring is anUUID.

The encrypted document in FIG. 7 is merely illustrative of an embodimentincorporating the present invention and does not limit the scope of theinvention as recited in the claims. One of ordinary skill in the artwould recognize other variations, modifications, and alternatives. Forexample, in FIG. 7, the control data section appears before theencrypted data section in an encrypted file. In another implementation,the control data section appears after the encrypted data section in anencrypted file.

To facilitate identifying an encrypted document, an encrypted documentmay be assigned a custom file name extension (e.g., .nxl). If a customfile name extension may not be used, a magic number (or a signature) maybe included in the control data section of the encrypted document forfile type identification. For example, if control data is stored as afile header, the first few bytes of the file may contain a signature“NLNXL.” With such, an encrypted document may be identified if the firstfive bytes in a file matches the signature.

In another embodiment of the invention, the control data of an encrypteddocument is stored in a location different separate from the documentcontent. In an implementation, document content of an encrypted file isstored in the default stream of a file on Microsoft's NTFS® file systemand control data of the encrypted file is stored in a separate stream(or alternate stream) of the file. For example, the separate stream canbe the resource stream of the file system.

Key Management

A policy enforcer manages multiple encryption keys used to encrypt anddecrypt documents. The encryption keys may be local encryption key KIand shared encryption key Ksh. The discussion from this point onwardwill focus on the application of local encryption key and sharedencryption key. As such, hereinafter “encryption key” refers only to alocal encryption key or shared encryption key but not a contentencryption key Kc. Hereinafter, any reference to content encryption keywill be explicitly stated. In addition, “using a local encryption key toencrypt a document” hereinafter refers to using a local encryption keyto encrypt a content encryption key and the content encryption key isused to encrypt the content of a document. Similarly, “using a sharedencryption key to encrypt a document” hereinafter refers to using ashared encryption key to encrypt a content encryption key and thecontent encryption key is used to encrypt the content of a document.

An impediment to create an easy to use transparent encryption solutionis key management. While using a large number of encryption keys orchanging encryption key frequently increases security and minimizes dataloss when an encryption key is compromised, it increases complexity inmanaging and securing encryption keys. By placing encryption keymanagement at a policy enforcer, the task of managing encryption keys isgreatly simplified. At the same time integrating encryption with accesscontrol policies offers additional flexibilities in providing automatedand targeted document encryption (e.g., a policy may specify toautomatically encrypt a document having classification “company secret”when sent as an e-mail attachment) and selective access to decrypteddocument content.

In an embodiment of the invention, a policy enforcer in an informationmanagement system facilitates encryption and decryption of documentsusing local encryption keys and shared encryption keys distributed froma key management server of the information management system. Encryptionkeys are managed using key rings. Each key ring is given a unique nameand may contain zero or more encryption keys. Each encryption key in akey ring is given a unique identifier. For example, a key ring is usedto support key management where an encryption key is changedperiodically to minimize data loss in case an encryption key is beingcompromised. In this example, a key ring name NL_LOCAL refers to aparticular local encryption key collection. When a local encryption keyis requested for encrypting a document, the newest key in key ringNL_LOCAL is returned. However, when requesting a local decryption key todecrypt a document, the request should contain a key ring name (i.e.,NL_LOCAL) and a key identifier that identifies a particular key in thekey ring.

Regarding local encryption key distribution, a particular localencryption key ring is distributed to only a particular policy enforcer.No other policy enforcer will be given the particular local encryptionkey ring. Therefore, a local encryption key is unique to a policyenforcer.

In an implementation, a shared encryption key ring may be distributed tomany policy enforcers in the information management system. When anencryption service requests a particular shared key from the policyenforcer, the policy enforcer returns a particular shared key from itskey ring cache if the corresponding shared key ring exists in the cache.If a shared key ring is not cached, policy enforcer requests the sharedkey ring from another source (e.g., key management server).

A key management server may also assist in recovering local encryptionkey ring assigned to a policy enforcer in case of system or hardwarefailure.

In a particular implementation, a local encryption key may be generatedon the host computing device whereby local encryption key distributionby the key management server is not necessary. Optionally, a keymanagement server may participate in backup and restore of locallygenerated local encryption key.

FIG. 8 shows a key management server 801 that manages encryption keysused by a plurality of policy enforcers of an information managementsystem. The key management server communicates with policy enforcers805, 811 on workstation 804 and file server 810, respectively. Policyenforcer 805 holds one local encryption key ring Kl 806 and one or moreshared encryption key rings Ksh 807. Similarly, policy enforcer 811holds one local encryption key ring Kl 812 and one or more sharedencryption key rings Ksh 813.

One purpose of a local encryption key is to protect documents on acomputing device (also referred to as “local documents”) that are notbeing accessed outside of the computing device. A local document is adocument stored on a storage device attached to a computing device (alsoreferred to as “a document stored on computing device” in this document)and the document is not accessible from another computing device. In animplementation, a local encryption key is generated locally by a policyenforcer and registered with a key management server. Local encryptionkey is registered with a key management server to facilitate keyrecovery. In another implementation, a local encryption key is generatedby a key management server and distributed to a policy enforcer. A localencryption key generated by a key management server is distributed toone policy enforcer only and the local encryption key is not shared withanother policy enforcer.

In an implementation, a shared encryption key is generated by a keymanagement server. The shared encryption key may be distributed to twoor more policy enforcers. A purpose of a shared encryption key is toallow a document encrypted by a policy enforcer on one computing deviceto be decrypted by another policy enforcer on another computing device.

A policy enforcer may operate without a key management server. A keymanagement server is used to simplify encryption key management. In animplementation, a policy enforcer generates its local encryption key andshared encryption keys are installed manually on a computing device.

Local Encryption Key

A local encryption key is an encryption key that a policy enforcer usesto encrypt documents stored on storage devices directly attached to thepolicy enforcer's host computing device (also referred to as “documentsstored on the host computing device”) and access to the documents arelimited to the host computing device. Since the documents stored on thehost computing device are accessible only by the host computing device,it is unnecessary to share a local encryption key with other policyenforcers. A local encryption key may be used to encrypt documents atrest.

In an implementation, each policy enforcer in an information managementsystem has at least one local encryption key in a local encryption keyring. By using a different local encryption key on each policy enforcer,the number of documents encrypted using a particular local encryptionkey is likely to be limited, whereby lessening the impact of data lossdue to a local encryption key being compromised. When a local encryptionkey is changed frequently, the impact of data loss may be furtherlimited.

A local encryption key may be designed to protect documents that are notbeing shared, and may be used by policy enforcers on endpoint computingdevices to protect local documents. An endpoint computing device refersto a networked computing device that is used mostly to access data onother computing devices, and the computing device itself is not (orseldom) being accessed by another computing device. Example endpointcomputing devices include desktop computers, laptop computers, tabletcomputers, smartphones, digital information kiosks, and more.

Shared Encryption Key

While a local encryption key may be used for encrypting documents thatwill only be decrypted on the same computing device by an encryptionservice in conjunction with a policy enforcer, a shared encryption keymay be used to encrypt a document on a first computing device by a firstencryption service in conjunction with a first policy enforcer that willbe decrypted on second computing device by a second encryption servicein conjunction with a second policy enforcer. A shared encryption key isan encryption key that may be provided to one or more policy enforcersto encrypt and decrypt documents. A policy enforcer provides a sharedencryption key to encrypt a document if the document may be decrypted byanother computing device (e.g., a document attached to an e-mail).

There are many situations where encrypting a document using a sharedencryption key is desirable. Examples of situations include: (a) adocument is intended to be shared on the network or through removablestorage device; (b) a document needs to be protected while copied (ortransferred, or downloaded) over an unsecure network connection; or (c)a document needs to be secured while being sent as an e-mail attachment.

In the context of the present invention where documents are encryptedand decrypted by a policy enforcer at the point-of-use and encryptionkeys are maintained by the policy enforcer, sharing an encrypteddocument refers to providing a policy enforcer at the point-of-use theencryption key necessary to decrypt the encrypted document. Apoint-of-use refers to a computing device from which access to adocument is requested or on which the content of a document will be read(or consumed). By decrypting an encrypted document at the point-of-use,the encrypted document remains protected while transmitted over anunsecured network connection whereby providing end-to-end protection ondocument content.

In an implementation, a shared encryption key is assigned to a servercomputing device (hereinafter also referred to as “document server”)where at least one encrypted document (hereinafter also referred to as“shared documents”) on the server computing device is accessible fromone of more client computing devices (hereinafter also referred to as“clients”). The shared documents on the document server are encryptedwith the shared encryption key. Not all documents on the document servermay be encrypted. When a shared document is accessed from a client andthe client is authorized to access the shared document, the content ofthe shared document is transferred to the client and the shared documentremains encrypted during transfer. At the client, a policy enforcerobtains the shared encryption key associated with the document anddecrypts the shared document using the shared encryption key. The sharedencryption key is typically identified by a key ring name and a keyidentifier stored with the document.

If a shared document is changed at a client, the policy enforcer at theclient encrypts the content of the shared document using the sharedencryption key and saves the encrypted data to the document server.Again, the changed shared document is encrypted while it is transmittedfrom the client to the document server.

Accessing an Encrypted Document

In an embodiment of the invention, a policy enforcer and an encryptionservice cooperate to offer two views of an encrypted document. If afirst application program is trusted by a policy enforcer that it willcontinue to protect the unencrypted content of an encrypted document,the encryption service will decrypt the encrypted document to producethe unencrypted content and provide it to the first application program.If a second application program is not trusted by a policy enforcer toprotect unencrypted content, the encryption service will serve thesecond application program with encrypted content (e.g., originalcontent of the encrypted document that has not been decrypted). Forexample, if the first application program is a word processor such asMicrosoft Word (RTM) and the second application program is data backupsoftware. In an implementation, the trust a policy enforcer places on anapplication program may expire after a time period.

In an example, an application program trusted by a policy enforcer whenit attempts to access a first encrypted document at a first time Xwhereby unencrypted content of the first encrypted document is served byan encryption service working with the policy enforcer. At a later timeY, when the application program attempts to access the first encrypteddocument, the application program is not trusted by the policy enforcer.So encrypted content is served by the encryption service to theapplication program. In one scenario, the application program is aspreadsheet software such as Microsoft Excel (RTM) and at time X, theapplication program is operated by user A, where the policy enforcerdetermines who can be trusted according to information managementpolicies. At time Y, the application program is operated by user B whois not trusted by the policy enforcer.

In an implementation, access to a document includes the following fileoperations: opening a file, creating a file, reading a file, writing afile, renaming a file, moving a file, copying a file, or the like.

Examples of a server computing device include a file server, a documentmanagement server, a content management server, a Web server, aworkstation with a shared folder, and more. Examples of a clientcomputing device include a desktop computer, a laptop computer, a tabletcomputer, a smartphone, and more.

In example 5 below, a policy specifies that all documents created inlocal directory “/company-secrets/” will be encrypted.

EXAMPLE 5

FOR document.name = “/company-secrets/*” ON SAVE BY user = Employees DOENCRYPT

FIG. 9 shows a flow 901 for encrypting a new document using a localencryption key according to a specific implementation of the invention.In a step 904, a “save document” operation is invoked. The saveoperation on the document may be invoked in a number of ways. Forexample, a user may invoke this operation by saving a document to alocal directory (e.g., “/company-secrets/”) on a computer's local harddisk. This may be done, for example, by clicking on an icon, by typingin an appropriate command in a command line, by selecting a menu item(e.g., “File” and then “Save As . . . ”), by entering shortcut keysequence (e.g., <Ctrl>-S), or by an application program. In animplementation, the user saves the document in the local directory forthe first time.

In a step 908, the save operation is intercepted (or detected) by apolicy enforcer on the computer. In a step 912, the policy enforcerforwards the save document operation, along with other informationrelated to the save document operation, to a policy engine. In a step916, the policy engine evaluates at least one policy on the operationincluding a save document policy. In an implementation, the policy is adeclarative policy. In a step 920, it is determined whether the policyspecifies an obligation to encrypt the document. In a step 924, if it isdetermined that the policy does not specify an obligation to encrypt thedocument, the document is not encrypted. Process flow then proceeds to astep 936, in which the unencrypted document is saved in the directory.

If it is determined that the policy does specify an obligation toencrypt the document, the document is encrypted. In a step 928, anencryption function is invoked. In a step 932, an encryption key isobtained. After the document is encrypted, in a step 936, the encrypteddocument is saved in the directory. In one implementation, encryption isimplemented at block level whereby a block of data is encrypted andsaved to disk before another block of data is encrypted. In oneimplementation, the name of an encrypted file is unchanged. In anotherimplementation, the name of an encrypted file is changed to reflectcontent of the file has been encrypted. In an implementation, anobligation handler invokes the encryption function in the encryptionservice add-on to encrypt the document. To encrypt the document theencryption service add-on requests an encryption key from the policyenforcer. In another implementation, the encryption service add-onobtains a key from a configuration file or a database.

In an implementation, an encryption service may request a localencryption key using a key ring name that is predefined. In anotherimplementation, an encryption service may request a local encryption keyusing a key ring name that is specified in a configuration file. In yetanother implementation, an encryption service may request a localencryption key using a key ring name that is specified in a policy.

FIG. 10 shows a flow 1001 for encrypting a new document using a sharedencryption key according to a specific implementation of the invention.In a step 1004, a save document operation is invoked by a user or anapplication program. A policy enforcer intercepted the save documentoperation in a step 1008. In a step 1012, the save operation andinformation related to the save operation is forwarded to policy engine.Policy engine evaluates one or more policies relevant to the savedocument operation in a step 1016. Based on the result of policyevaluation, the policy engine determines if an encryption obligationneeds to be invoked in a step 1020. If the policy engine determines thedocument does not need to be encrypted in a step 1024, the document issaved without encryption in a step 1036. If the policy engine determinesthe document needs to be encrypted, encryption service is invoked in astep 1028 and the encryption service requests a key from policy enforcerin a step 1032. The policy enforcer detects if the document is saved toa shared location and returns a shared encryption key if the savelocation is shared in a step 1036. Some examples of shared locationsinclude: (a) a directory on a file server; (b) a directory on a localcomputer that is being shared (i.e., accessible by another user throughthe network); (c) a directory accessible through a web server; or (d) adirectory on a removable device. If the policy enforcer detects the savelocation is local and is not being shared, the policy enforcer returns alocal encryption key. In a step 1040, the encrypted document is beingsaved.

In an implementation, an encryption service may request a sharedencryption key using a key ring name that is specified in aconfiguration file. In another implementation, an encryption service mayrequest a local encryption key using a key ring name associated with adirectory. In yet another implementation, an encryption service mayrequest a local encryption key using a key ring name that is specifiedin a policy.

FIG. 11 shows a flow 1101 for encrypting a document without using apolicy. In a step 1104, a save document operation is invoked by a useror an application program. An encryption service intercepts the savedocument operation in a step 1108. In a step 1112, the encryptionservice checks if the document is saved to an encryption folder. Anencryption folder is a directory with an encryption required attributeset to true. In a step 1116, encryption service determined the documentis not saved to an encrypted folder, and proceeds to save the documentin a step 1140. In a step 1120, encryption service determines thedocument is saved to an encrypted folder. In addition, the encryptionservice makes a determination whether the save location is shared. Ifthe save location is shared, the encryption service request a sharedencryption key from the policy enforcer in a step 1124. If the savelocation is not shared, the encryption service request a localencryption key from the policy enforcer in a step 1128. The policyenforcer responds to a key request from the encryption server in a step1132 and returns a corresponding encryption key. In a step 1136, theencryption service encrypts the document using an encryption keyobtained from the policy enforcer and the encrypted document is saved ina step 1140.

In an implementation, an encryption service may request a shared keyusing a key ring name specified in a configuration file. In anotherimplementation, an encryption service may request a share key using akey ring name associated with a particular directory. In animplementation, an encryption service may always encrypted documentswith shared keys.

Besides having encryption carried out automatically, encryption may beperformed manually by a user using an encryption tool (e.g., NextLabs®nlSystemEncryption.exe). An encryption tool communicates with anencryption service to encrypt a document. The encryption servicerequests a key from the policy server and encrypts the document usingthe encryption key.

FIG. 12 shows a flow 1201 for decrypting a document where decryption isinitiated by a policy enforcer and encryption is completed with theassistance of an encryption service add-on. In a step 1204, a user opensa document that is encrypted. For example, referring to example 5 above,the documents in “/company-secrets/” on a computer's local hard disk areencrypted. In a step 1208, the open document operation is intercepted bya policy enforcer on the computer. In a step 1212, the policy enforcerforwards the open document operation, along with other informationrelated to the open document operation, to a policy engine. This relatedinformation can include identifying information (e.g., who the user is,what device is being used, what time the open operation occurs, whatfile is being opened, application identifying information) and otherinformation. In a step 1216, the policy engine evaluates at least onepolicy related to the operation, including an open document policy. Inan implementation, the policy is a declarative policy. In a step 1220,the results of policy evaluation determines if access to the document isallowed. In a step 1224, access to a document is denied. The opendocument operation fails. In a step 1228, access to a document isallowed. The policy enforcer invokes encryption service to decrypt thedocument. In a step 1232, the encryption service extracts key ring nameand key identifier from header of the document. In otherimplementations, the key ring name and key identifier may be stored atthe end of an encrypted document, other parts of a document, or outsidea document (e.g., a NTFS® stream). In a step 1236, the encryptionservice requests an encryption key from a policy enforcer using the keyring name and key identifier. In a step 1240, the policy enforcerreturns an encryption key to the encryption service. In a step 1244, theencryption service opens the document and associates the encryption keywith the opened document. Subsequent read operations can use the sameencryption key to decrypt the data. In another implementation, the keycan only be used to decrypt the data for a limited amount of times(e.g., 1 time, 2 times, or other integer amount) or when a condition issatisfied (e.g., before a certain time, after a certain time, whether adevice is approved device, or a combination of these). In the case anencryption key cannot be located using the key ring name and keyidentifier, the policy enforcer returns an error status in step 1240.The encryption service allows the file open operation to completewithout further intervention and subsequent file read operation willreturn encrypted data to the application program.

FIG. 13 shows a flow 1301 for decrypting a document where decryption isinitiated by an encryption service and encryption is completed withassistance from a policy enforcer. In a step 1304, a user opens adocument that is encrypted. In a step 1308, the open document operationis intercepted by an encryption service on the computer. In a step 1312,the encryption service checks if the document is encrypted. In a step1316, encryption service determined the document is not encrypted andthe document is opened without further intervention from the encryptionservice. In a step 1320, the document is encrypted and the encryptionservice extracts key ring name and key identifier from the document. Keyring name and key identifier may be stored in the encrypted document orassociated with the encrypted document. In a step 1324, the encryptionservice requests a key from the policy enforcer using the key ring name,key identifier, and a process identifier of the application program thatinitiated the open file operation. In a step 1328, the policy enforcerdetermines if the application program that initiated the open fileoperation should be trusted. The policy enforcer identifies theapplication program using the process identifier provided. The policyenforcer may also examine if the application program has made a policyevaluation request recently and if the policy effect was allowed. Ifthere was a recent policy evaluation associated with the applicationprogram and policy effect was allowed, then the application program istrusted. In a step 1232, an application program is determined to not betrusted and policy enforcer returns an error status to the encryptionservice. In a step 1336, the encryption service allows the file openoperation to complete without further intervention and the contents ofthe document will remain encrypted (i.e., the application program willget encrypted data). In a step 1340, the policy enforcer determined theapplication program can be trusted, and it returns an encryption key tothe encryption service. In step 1344, the encryption service opens thatdocument and associates the encryption key with the document. Subsequentread operation may use the encryption key to decrypt contents of thedocument.

FIG. 14 shows a flow 1401 for re-encrypting document content after adocument is modified. In a step 1404, a user attempts to save a modifieddocument that is encrypted. For example referring to the policy above, auser modifies a document in “/company-secrets/” on a computer's localhard disk. In a step 1408, the save document operation is invoked, andin a step 1412, the save document operation is intercepted by a policyenforcer on the computer. In a step 1416, the policy enforcer forwardsthe save document operation, along with other information related to thesave document operation, to a policy engine. In a step 1420, the policyengine evaluates at least one policy on the operation including a savedocument policy. In an implementation, the policy is a declarativepolicy. In a step 1424, policy enforcer checks if the save operation isallowed. In a step 1428, the save operation is denied and content is notsaved to the document. In a step 1432, policy enforcer allows a saveoperation to continue. In a step 1436, the save operation is interceptedby encryption services. Since file save operation is not blocked bypolicy enforcer, encryption service encrypts the document in a step1440. This encryption step may use an encryption key used to decrypt thedocument or obtain a new encryption key from the policy enforcer. Theencryption used may be a local encryption key or a shared encryptionkey. In a step 1444, the encrypted document is saved on the computer.

A policy enforcer plays an important role in keeping encryption keymanagement simple. The policy enforcer is also critical in makingencryption and decryption transparent to a user. In an example, when anencrypted document that is encrypted using a local encryption key iscopied (or transferred, or uploaded) from an endpoint computing deviceto a document server, a policy enforcer can determine through policythat the copy operation also needs to make the destination documentaccessible to other users authorized to access the document. In thiscase, the policy enforcer may instruct the encryption service tore-encrypt the document using a shared encryption key. In animplementation, a policy enforcer can determine if a copy destination isshared using policies and facilitate encryption key switching through anobligation.

In an implementation, where there is switching between local and sharedencryption keys, decrypting a document refers to decrypting contentencryption key (Kc) and control data. Contents in the document that isencrypted using content encryption key Kc is unchanged. Similarly, in animplementation, encrypting a document refers to encrypting contentencryption key Kc and control data. Contents of the document remainsunchanged.

FIG. 15 shows a flow 1501 for switching from a local encryption key to ashared encryption key when an encrypted document is copied from a localcomputer to a file server or any shared location. A shared locationincludes a file server, a remote computer, a shared folder on localcomputer, or a removable storage device. In a step 1504, a copyoperation is invoked when an encrypted document is copied from a localcomputer to a file server. In a step 1508, the copy document operationis intercepted by a policy enforcer on the local computer. In a step1512, the policy enforcer forwards the copy document operation, alongwith other information related to the copy document operation, to apolicy engine. In a step 1516, the policy engine evaluates at least onepolicy on the operation including a copy document policy. In animplementation, the policy is a declarative policy.

In a step 1520, the policy enforcer checks if the copy destination is ashared location by examining the destination of the copy operation. Ifthe copy destination is not a shared location, the policy enforcercontinues at flow step 1620 of FIG. 16. In a step 1528, the policyenforcer determined the destination is a shared location, it thenexamines the document to determine if it is encrypted with a localencryption key. If the document is not encrypted with a local encryptionkey, the document is copied to the destination without any change instep 1524. In a step 1532, the policy enforcer determined the documentis encrypted using a local encryption key. It decrypts the documentusing a local encryption key. In a step 1536, the decrypted data isre-encrypted using a shared encryption key. In a step 1540, the newlyencrypted document including the re-encrypted data is saved to thedestination whereby creating a second rendition of the document at thedestination. The second rendition of the encrypted document remainsencrypted while it is transmitted from the local computing device to thedestination.

In an example, an encrypted document on a file server is copied to adesktop computer. FIG. 16 shows a flow 1601 for switching from a sharedencryption key to a local encryption key when an encrypted document iscopied from a file server or any shared location to a local computer. Ashared location includes a file server, a remote computer, a sharedfolder on local computer, or a removable storage device. In a step 1604,a copy operation is invoked when an encrypted document is copied from afile server to a local computer. In a step 1608, the copy documentoperation is intercepted by a policy enforcer on the local computer. Ina step 1612, the policy enforcer forwards the copy document operation,along with other information related to the copy document operation, toa policy engine. In a step 1616, the policy engine evaluates at leastone policy on the operation including a copy document policy. In animplementation, the policy is a declarative policy.

In a step 1620, the policy enforcer checks if the source document is inshared location by examining the source path of the copy operation. Ifthe source path does not represent a shared location, the policyenforcer continues to flow step 1520 of FIG. 15. In a step 1628, thepolicy enforcer has determined the source path represents a sharedlocation. It then examines the destination path to identify if thedestination is a shared location. If the destination represents a sharedlocation, the document is copied to the destination without any changein step 1624. In a step 1632, the policy enforcer determined thedestination path is not a shared location. It decrypts the documentusing a shared encryption key. In a step 1636, the decrypted data isre-encrypted using a local encryption key. In a step 1640, the newlyencrypted document including the re-encrypted data is saved to thedestination whereby creating a second rendition of the document at thedestination. The second rendition of the encrypted document remainsencrypted while it is transmitted from the shared location to the localcomputer.

In example 6 below, if an employee sends an e-mail with a documentattachment and the classification of the document attachment is“Confidential,” a declarative policy instructs the policy enforcer toencrypt the document attachment.

EXAMPLE 6

FOR email.recipient = “*”  WITH (email.attachment.classification =“Confidential”) ON SEND BY user = Employees DO ENCRYPT ATTACHMENT

In an example, an e-mail is sent with an encrypted document attached toit. FIG. 17 shows a flow 1701 for encrypting an attachment of an e-mail.In a step 1704, an e-mail send operation is invoked. For example, thisoperation is invoked when a user sends an e-mail and the e-mail has anencrypted document attached. In a step 1708, the sent operation isintercepted by a policy enforcer on the desktop computer. In a step1712, the policy enforcer forwards the sent operation, along with otherinformation related to the sent operation, to a policy engine. In a step1716, the policy engine evaluates at least one policy on the operationincluding a sent operation policy. In an implementation, the policy is adeclarative policy. In a step 1720, the document is encrypted before thee-mail is sent. In an implementation, a policy directs a policy enforcerto encrypt the document before allowing the e-mail to be sent. Inanother implementation, a policy enforcer encrypts a document before thedocument is attached to an e-mail. In this case, the document isencrypted using a shared encryption key obtained from the policyenforcer. In a step 1724, the e-mail, along with the encrypted documentattachment, is sent. In an implementation, the encrypted documentattachment remains encrypted while attached to an e-mail. As a result,the encrypted document is secured while being sent as an e-mailattachment.

In one implementation, a policy enforcer determines if an e-mailattachment needs to be encrypted based on classification data associatedwith a document. Classification data includes attributes associated witha document, or attributes derived from content of the document. Forexample, attributes associated with a document may include file owner orpath. Attributes derived from a document may include content analysissuch as whether the document contains private information, or the typeof the content (e.g., source code, chart data, financial data). Thesedocuments may be encrypted by using an encryption obligation.

In an example, an encrypted document attached to an e-mail is beingsaved to a local disk of a desktop computer. FIG. 18 shows a flow 1801for switching from a shared encryption key to a local encryption keywhen an attachment of an e-mail is saved to local storage of a localcomputer. In a step 1804, a save operation is invoked when a userattempts to save an encrypted document attached to an e-mail to a harddisk on a desktop computer. In a step 1808, the save operation isintercepted by a policy enforcer on the desktop computer. In a step1812, the intercepted save operation, along with pertinent information,is forwarded to a policy engine. In a step 1816, at least one policyincluding a save policy is evaluated. The save operation is allowed bythe policy enforcer. In a step 1820, the document attachment isdecrypted using the shared encryption key. In a step 1824, the decrypteddocument attachment is encrypted using the local encryption key. Afterthe document attachment is encrypted using the local encryption key, ina step 1828, the encrypted document attached to the e-mail is saved onthe local disk of the desktop computer.

In an example, a user attempts to save a new document to a file serverlocation that requires the document to be encrypted. FIG. 19 shows aflow 1901 for encrypting a new document to be saved on a file serverusing a shared encryption key at a local computer. In a step 1904, asave operation is invoked when a user attempts to save a new document toa file server. In a step 1908, the save operation is intercepted by apolicy enforcer on the desktop computer. In a step 1912, the interceptedsave operation, along with pertinent information, is forwarded to thepolicy engine. In a step 1916, at least one policy including a savepolicy is evaluated. The save operation is allowed. In a step 1920,policy enforcer determines if the document should be encrypted. If thedocument should not to be encrypted, in a step 1924, the unencrypted newdocument is saved to the server.

If the document should be encrypted, in a step 1928, the document isencrypted using a shared encryption key obtained from the policyenforcer. This encryption is done on the local computer. In a step 1932,the newly encrypted document is saved at the file server location andonly encrypted data is transmitted over the network.

In an example, a new document is saved to a hard disk of a desktopcomputer where the directory to which the new document will be saved isshared and encrypted required attribute is set. FIG. 20 shows a flow2001 for encrypting a new document to be saved in a shared folder usinga shared encryption key at the desktop computer. In a step 2008, a saveoperation is invoked when a user attempts to save a new document to afolder on a desktop computer. In a step 2012, the save operation isintercepted by a policy enforcer on the desktop computer. In a step2016, the intercepted save operation, along with pertinent information,is forwarded to the policy engine. In a step 2020, at least one policyincluding a save policy is evaluated. The save operation is allowed. Ina step 2024, an encryption service intercepts the save operation. In astep 2028, the encryption service detects encryption required attributeon destination folder. The encryption required attribute specifies thatall files created in the destination folder should be encrypted. In astep 2032, the encryption service determines if the destination folder ashared folder. In a step 1236, the encryption service requests a keyfrom the policy enforcer. Depending on result from step 2032, if theresult indicates the destination folder is a shared folder, theencryption service requests a shared encryption key from the policyenforcer. If the result indicates the destination folder is not a sharedfolder, the encryption service requests a local encryption key from thepolicy enforcer. In a step 2040, the encryption service encrypts thedocument using the encryption key obtained from the policy enforcer. Theencryption may be a shared encryption key or location encryption keydepending on the request made in step 1236. In a step 2044, the newlyencrypted document is saved on the hard disk of the endpoint (e.g.,desktop computer)

In an example, a directory (or folder) on a desktop computer is beingshared and the directory contains documents that are encrypted using alocal encryption key. FIG. 21 shows a flow 2101 for sharing a folder ona local computer. In a step 2108, a share directory operation is invokedwhen a user attempts to make a directory accessible from anothercomputer. The directory contains a plurality of documents encryptedusing a local encryption key. In a step 2112, the share directoryoperation is intercepted by a policy enforcer on the desktop computer.In a step 2116, the intercepted share operation, along with pertinentinformation, is forwarded to the policy engine. In a step 2120, at leastone policy including a share policy is evaluated. The share operation isallowed.

In a step 2124, the documents in the directory are decrypted using thelocal encryption key. In a step 2128, the decrypted documents areencrypted using a shared encryption key. In a step 2132, the newlyencrypted documents in the directory are shared. For example, thedesktop computer may access the documents encrypted in the shareddirectory by using the shared encryption key. Also, a second desktopcomputer may access the documents encrypted in the shared directory byusing the shared encryption key.

This description of the invention has been presented for the purposes ofillustration and description. It is not intended to be exhaustive or tolimit the invention to the precise form described, and manymodifications and variations are possible in light of the teachingabove. The embodiments were chosen and described in order to bestexplain the principles of the invention and its practical applications.This description will enable others skilled in the art to best utilizeand practice the invention in various embodiments and with variousmodifications as are suited to a particular use.

The invention claimed is:
 1. A method comprising: providing a systemcomprising unencrypted and encrypted document content, wherein anunencrypted document is encrypted to become an encrypted document, andthe encrypted document is larger in size than the unencrypted documentfrom which it is derived; providing a policy server accessible todevices of the system, wherein the policy server comprises a pluralityof policies and each policy manages access to documents of the system;providing an encryption service driver executing on a computing deviceof the devices of the system, wherein the policy server is separate fromthe computing device; permitting access to an encrypted document by anapplication program on the computing device; when an access to theencrypted document occurs, using the encryption service to intercept theaccess of the encrypted document, wherein the intercepting the access ofthe encrypted document occurs at a system level of the applicationprogram comprising: allowing the access to the encrypted document by theapplication program to execute until a first system level operationexecutes; identifying the first system level operation as executing dueto the application program requesting access to the encrypted document;preventing the first system level operation from executing; at theencryption service, identifying the application program attempting toaccess the encrypted document; from the encryption service, sendingidentification information on the application program to a policyenforcer component, executing on the computing device; controllingaccess to the unencrypted content based on the first policy comprising:identifying a first application process identifier assigned by anoperating system executing on the computing device for the applicationprogram, wherein the application program is attempting access to theencrypted document; receiving a decryption key based on the firstapplication process identifier at the encryption service; using theencryption service to decrypt the encrypted document to produce theunencrypted content; providing the unencrypted content to theapplication program; and allowing the first system level operation toexecute.
 2. The method of claim 1 comprising: if the application programis determined not to be trusted, providing encrypted content of theencrypted document to the application program.
 3. The method of claim 1comprising: using the policy enforcer, determining if the applicationprogram can be trusted to protect unencrypted content of the encrypteddocument based on a first policy of the plurality of policies stored atthe policy server; and the controlling access to the unencrypted contentbased on the first policy is replaced by if the application program isdetermined to be trusted, controlling access to the unencrypted contentbased on the first policy.
 4. The method of claim 1 wherein theencryption service is a file system filter device driver.
 5. The methodof claim 1 wherein the encryption service is a device driver.
 6. Themethod of claim 1 wherein accessing the encrypted document comprises atleast one of opening the encrypted document or reading the content ofthe encrypted document.
 7. The method of claim 1 wherein the identifyingthe application program attempting the accessing an encrypted documentoperation comprises examining a process that invokes the accessing anencrypted document operation.
 8. The method of claim 3 wherein thedetermining if the application program can be trusted to protectunencrypted content of the encrypted document comprises: querying thepolicy enforcer to determine if the application program can be trustedto protect unencrypted content of the encrypted document.
 9. The methodof claim 3 wherein if the application program is determined to betrusted, decrypting the encrypted document to produce unencryptedcontent comprises: obtaining an encryption key from the policy enforcerto decrypt the encrypted document.
 10. The method of claim 3 comprising:when the application is a back-up program, identifying the applicationprogram as being not trusted, whereby a back-up program does not needaccess to the unencrypted content of the document to perform its back-upfunction.
 11. The method of claim 3 wherein an application program thatis determined to be trusted at a first time T1, and after an elapsedtime T2 after T1, the application program will be determined not to betrusted, and T2 is a configurable parameter.
 12. The method of claim 1wherein the encrypted document comprises a header comprising a key ringname and key ring number for a decryption key, and the decryption key isstored separate from the encrypted document.
 13. A method comprising:providing a policy enforcer executing at a first device; providing afirst application program executing at the first device; providing ashared key ring at the first device wherein the shared key ring isassociated with the policy enforcer and comprises at most one domain keyand a plurality of shared keys; providing a file at the first devicewherein the file further comprises a document content portion and acontrol data portion; extracting a content key from the control dataportion; encrypting the document content portion using the content key;extracting a first key identifier from the control data portion;requesting from the policy enforcer a domain key; encrypting the controldata portion of the file with the at most one domain key; at the firstdevice, providing access to the file and its encrypted control dataportion; intercepting at a second device a request to access the file ata second application program, wherein the intercepting the access of theencrypted document occurs at an system level of the application programcomprising: allowing the access to the encrypted document by theapplication program to execute until a first system level operationexecutes; identifying the first system level operation as executing dueto the application program requesting access to the encrypted document;and preventing the first system level operation from executing;determining at a policy enforcer executing at the second device whetherthe request to access the file at the second application program shouldbe granted; and if the request to access the file at a secondapplication program is granted, preparing the document content portion.14. The method of claim 13 wherein the preparing the document contentportion comprises: decrypting the content key with the domain key;requesting from the policy enforcer a shared key from the key ringwherein the shared key is accessible by the second device; receiving theshared key; and encrypting the domain key with the shared key.
 15. Themethod of claim 13 comprising: transmitting the document content portionencrypted by the content key to the second application program.
 16. Themethod of claim 15 wherein the policy enforcer is a memory residentprogram executing on the first device, and the policy enforcer programis separate for the operating system.
 17. The method of claim 15comprising: on the first device, executing a encryption service,separate from the policy enforcer, and the encryption service receivesthe shared key from the policy enforcer.
 18. The method of claim 17wherein the policy enforcer requests from a server and receives theshared key over a network connection to the first device.
 19. The methodof claim 13 wherein accessing the encrypted document comprises at leastone of opening the encrypted document or reading a content of theencrypted document.